How should I secure the Private Key when using Asymmetric RSA encryption?

Question

I am using the RSACryptoServiceProvider and C#. I have a web server (A) that will be encrypting data and storing it in a database. I have another server (B) that will be reading the encrypted data and decrypting it. The private key will only ever live on server B.

I would like to limit private key access to my application and a very short list of domain users.

What is the best way to store the key so that it is safe from compromise by an unauthorized person?

Answer 1

You can use Windows RSA Key containers to store the key. The key can be installed / created by the aspnet_regiis.exe tool that ships with the .NET framework.

Here is a walkthrough.

The two options to look out for are:

-pi (installs a key to the RSA container)

-pa (managements permissions for the key)